MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

Added first version of the objects

pull/8/head
Andras Iklody 2017-09-19 11:37:33 +02:00 committed by GitHub
parent 78c6aca080
commit 83e91e556b
1 changed files with 154 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
misp-core-format/raw.md
View File

@ -638,6 +638,160 @@ value represents the payload of an attribute. The format of the value is depende
value is represented by a JSON string. value **MUST** be present. value is represented by a JSON string. value **MUST** be present.
## Object
Objects serve as a contextual bond between a list of attributes within an event. Their main purpose is to describe more complex structures than can be described by a single attribute
Each object is created using an Object Template and carries the meta-data of the template used for its creation within. Objects belong to a meta-category and are defined by a name.
The schema used is described by the template_uuid and template_version fields.
A MISP document containing an Object **MUST** contain a name, a meta-category, a description, a template_uuid and a template_version as described in the "Object Attributes" section.
### Sample Object object
~~~~~
"Object": {
"id": "588",
"name": "file",
"meta-category": "file",
"description": "File object describing a file with meta-information",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "3",
"event_id": "56",
"uuid": "398b0094-0384-4c48-9bf0-22b3dff9c4d3",
"timestamp": "1505747965",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [],
"Attribute": [
"id": "7822",
"type": "filename",
"category": "Payload delivery",
"to_ids": true,
"uuid": "59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1",
"event_id": "56",
"distribution": "0",
"timestamp": "1505747963",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "588",
"object_relation": "filename",
"value": "StarCraft.exe",
"ShadowAttribute": []
]
}
~~~~~
### Object Attributes
#### uuid
uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object. The uuid **MUST** be preserved
for any updates or transfer of the same object. UUID version 4 is **RECOMMENDED** when assigning it to a new object.
#### id
id represents the human-readable identifier associated to the object for a specific MISP instance.
id is represented as a JSON string. id **SHALL** be present.
#### name
name represents the human-readable name of the object describing the intent of the object package.
name is represented as a JSON string. name **MUST** be present
#### meta-category
meta-category represents the sub-category of objects that the given object belongs to. meta-categories are not
tied to a fixed list of options but can be created on the fly.
meta-category is represented as a JSON string. meta-category **MUST** be present
#### description
description is a human-readable description of the given object type, as derived from the template used for creation.
description is represented as a JSON string. id **SHALL** be present.
#### template_uuid
uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the template used to create the object. The uuid **MUST** be preserved
to preserve the object's association with the correct template used for creation. UUID version 4 is **RECOMMENDED** when assigning it to a new object.
#### template_version
template_version represents a numeric incrementing version of the template used to create the object. It is used to associate the object to the
correct version of the template and together with the template_uuid forms an association to the correct template type and version.
version is represented as a JSON string. version **MUST** be present.
#### event_id
event_id represents the human-readable identifier of the event that the object belongs to on a specific MISP instance.
event_id is represented as a JSON string. event_id **SHALL** be present.
#### timestamp
timestamp represents a reference time when the object was created or last modified. timestamp is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone **MUST** be UTC.
timestamp is represented as a JSON string. timestamp **MUST** be present.
#### distribution
distribution represents the basic distribution rules of the object. The system must adhere to the distribution setting for access control and for dissemination of the object.
distribution is represented by a JSON string. distribution **MUST** be present and be one of the following options:
0
: Your Organisation Only
1
: This Community Only
2
: Connected Communities
3
: All Communities
4
: Sharing Group
#### sharing_group_id
sharing\_group\_id represents a human-readable identifier referencing a Sharing Group object that defines the distribution of the object, if distribution level "4" is set.
sharing\_group\_id is represented by a JSON string and **SHOULD** be present. If a distribution level other than "4" is chosen the sharing\_group\_id **MUST** be set to "0".
#### comment
comment is a contextual comment field.
comment is represented by a JSON string. comment **MAY** be present.
#### deleted
deleted represents a setting that allows attributes to be revoked. Revoked attributes are not actionable and exist merely to inform other instances of a revocation.
deleted is represented by a JSON boolean. deleted **MUST** be present.
#### Attribute
Attribute is an array of attributes that describe the object with data.
Each attribute in an object **MUST** contain the parent event's ID in the event_id field and the parent object's ID in the object_id field.
#### ObjectReference
ObjectReference is an array of object references that describe a relationship between the parent object and another object or attribute contained within the same event.
Each Object reference must contain
## Tag ## Tag